All Apps and Add-ons

Splunk for WinSSHD question

asarolkar
Builder

All,

We installed Sideview Utils 2.4 and Splunk for WinSSHD (latest version) on our central search head running v 5.0.2

WARNING: no events found for sourcetype="winsshd". Are you sure you are indexing the data and that it is sourcetyped correctly?

Is there additional configuration needed to point our hosts or enable a scripted input that allows this sourcetype to push data to the app ?

Any help is appreciated

sideview
SplunkTrust
SplunkTrust

It does mean that either no data is indexed with the sourcetype of "winsshd", or that it's being indexed but into some index other than index="main". Are either of these the case?

If you just go to the Search app, and run the search sourcetype=winsshd, do you get any events returned?

sideview
SplunkTrust
SplunkTrust

Nope, should be fine. I think it's probably something big enough that we'll resolve it in 5mins with a phone call or a webex tomorrow. email me at nick [at] sideviewapps.com if you have any free time tomorrow.

0 Karma

asarolkar
Builder

Is there any configuration change needed on the search head itself ?

So, I have a forwarder which is pushing data onto a search head and its being written to sourcetype="winsshd"

I can see the data being written against sourcetype="winsshd" (in data inputs etc) but for some reason the App which is sitting on the search head does not acknowledge this.

0 Karma

sideview
SplunkTrust
SplunkTrust

No such special configuration is required, and in fact if you dont get anything returned for a search for sourcetype=winsshd, that simply means you have no data indexed, with that sourcetype, in index=main. Can you double check that the data input is set up correctly? In the data inputs screen it should list a number of files if it is actively matching files to index, and make sure sourcetype and index are set as you expect.

asarolkar
Builder

I do not get any events returned for sourcetype=winsshd.

What if we DO have all our events written to index="main" but for some reason this app needs to be additionally configured to assciated sourcetype="winsshd" with index="main"

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...